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CLAIM AMENDMENTS: 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 



1 . (Currently amended) A method for s£ detecting intrusion in a host via a monitoring 
daemon operating in conjunction with a configuration file defining data entities to be monitored, 
said the method as impl e mented in said - host comprising tho stops of : 

[[a. ]]momtoring said data entities via comparing a locally stored copy of a digital 

signature associated with each data entity against a corresponding digital 

signature stored in a first remote database; and 
[[b. ])upon identifying a mismatch in compared digital signatures, issuing an instruction 

to record an entry in a log file located in a second remote database, said entry 

identifying a possible intrusion in said a host. 

2. (Currently amended) A The method for detecting intrusion in a host via a monitoring 
da e mon operating in conjunction with a configuration filo defining data cntitios - to bo monitored, 
as per of claim 1, wh e rein said host communicatee with said first and second remote datab ases 
via one or more network interfaces ond, subsequent to step (b), said method -furthe r - compri ses 
the stop of comprising i ssuing a command to bring down said one or more network interfaces to 
isolate said hos t upon identifying the mismatch in compared digital signatures. 

3. (Currently amended) A The method fe r - d e tecting intrusion in a host via a monitoring 
daemon operating in conjunction with a configuration fil e defining data entities to bo monitored, 
as-pe*K>f claim 1, wherein, subsequent to stop (b), said method further comprises tho stop of 
comprising i ssuing a command to an operating system of the host to bring said host to a single 

user stat e upon identifying the mismatch m compared digital signatures. 

* 

4. (Cun-ently amended) A The method for d e t e cting intrusion in a host via a monitoring 
daemon - operating in conjunction with a configuration fil e defining data entities to be monitored, 
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as-pe* of claim 1 9 wherein said first remote database and said second remote database are located 
on a single server or a plurality of servers belonging to a local area network. 

5. (Currently amended) A The method for detecting intrusion in a host - via a monitoring 
daemon operating in conjunction with a configuration - filo defining data entities to be monitored ; 
as-pef^of claim 1, wherein communications between said host and first remote database are 
encrypted. 

6. (Currently amended) A Jhg method for dotocting intrusion in a host via-armonitoring 
daemon operating in conjunction with a configuration file dofinia g- data e ntities to bo monitored, 
Q3 - po g-of claim 1 , wherein communications between said host and second remote database are 
encrypted, 

7* (Currently amended) A The method for detecting intension in a host via a monitoring 
daemon op e rating in conjunction with - a configuration filo defining data entiti e s to b e monitored, 
as-pep^pf claim 1, wherein said digital signature is an MD5 signature and said first remote 

^^l^^i^t^J^^J ^^^^^^^ 

is an MDS database. 

8. (Currently amended) A The method for detecting intrusion in - a r ho s t via a monitoring 
daemon operating in conjunction with a configuration file defining data entities to b e monitored, 
a$-per-of claim 1, wherein said second remote database is a SYSLOG database. 

9. (Currently amended) A The method for dotoctin^intxusion in a host -via a monitoring ' 
daemon op e rating in conjunction with a oonfigurotion - fil e d e fining data entities to bo monitored, 
as-penjf claim 1, wherein said data entities comprise one or more o re - onv of the following; 
system files, configuration files, or and directories. 
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1 Q. (Currently amended) A system to detect intrusion comprising: 

[[a. ]]a host running a monitoring daemon working in conjunction with a configuration 
, file, said configuration file identifying files and directories to be monitored in said 
host and said host communicating with external networks via one or more 
netwoxk interfaces, said monitoring daemon dynamically monitoring said files 
and directories identified by said configuration file by comparing a locally stored 
digital signature corresponding to each file or directory against a remotely stored 
corresponding digital signature; 

[[b. ]]a digital signature database remote from said host storing said digital signatures 
associated with files and directories identified by said configuration file; and 

[[c. ]]a log database remote from said host recording entries corresponding to 

mismatches between a digital signature stored in said host and a corresponding 
digital signature in said digital signature database. 

1 1 , (Currently amended) A The system to detect intrusion as per claim 1 0, wherein said 
first remo te digital signature database and said log s econd remote database are located on a 
single server or a plurality of servers belonging to a local area network. 

12- (Currently amended) A The system to detect intrusion as per claim 1 0, wherein 
communications between said host and said digital signature database are encrypted. 

13. (Currently amended) A The system to detect intrusion as per claim 10, wherein 
communications between said host and log database are encrypted. 

14. (Currently amended) A The system to detect intrusion as per claim 10, wherein said 
digital signature is an MDS signature and said first remote database is an MD5 database. 
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1 5. (Currently amended) An article of manufacture comprising a computer usable 

* 

medium having computer readable program code ombod embedded therein to detect intrusion in 
a host via a monitoring daemon operating in conjunction with a configuration file defining data 
entities to be monitored, said medium comprising: 

[[a. Hcomputer readable program code comprising executable instructions to monitor 
monitoring said data entities via comparing a locally stored copy of a digital 
signature associated with each data entity against a corresponding digital 
signature stored in a first remote database; and 
[[b. ]] upon identifying a mismatch in compared digital signatures., computer readable 

program code comprising executable instructions to issue issuing an instruction to 
record an entry in a log file located in a second remote database upon identifying 
a mismatch in compared digital signatures, said entry identifying a possible 
intrusion in said 3 host 

16- (Currently amended) An The article of manufacture as per claim 15 , wherein said 
hoat communicates with said first and second rem ot e da to b ose^ - via-on e or more network 
int e rfaces and ooid medium further comprises comprising computer readable program code 
comprising executable instructions to issue jssamg a command to bring down said one or more 
network interfaces to isolate said host upon identifying the mismatch in compared digital 
signatures . 

» 

17. (Currently amended) An The article of manufacture, as per claim 15 , wh e r e in said 

m 

method further comprises comprising computer readable program code comprising executable 
instructions_to issue the st e p of issuing a command to an operating system of said host to bring 
said host to a single user stat e upon identifying the mismatch in compared digital signatures . 
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1 8. (Currently amended) An intrusion detection and isolation method implemented using 
a monitoring daemon in a host, said host having one or more network interfaces to communicate . 
over one or more networks, said method comprising the steps of ; 

[fa. ]]reading a configuration file to identify data entities to be monitored on a host; 
[[b. ]]for each data entity to be monitored, extracting a digital signature from said host; 
[[c, ]]for each data entity to be monitored, querying a remote digital signature database 

via said one or more network interfaces and requesting a digital signature 

corresponding to said digital signature extracted from said host; 
[[& Ufor each data entity to be monitored, receiving said corresponding digital signature 

from said remote digital* signature database; 
[[e. ]]matching digital signature received from said remote digital signature database 

with digital signature extracted at said host; 
[[£ ]]upon identifying a mismatch, transmitting an instruction to a remote log database 

via said one or more network interfaces, said instruction executed in said remote 

log database to record an entry in a log file indicating a possible intrusion in said 

host; and 

[[g. ]]performing any at least one o f, or a combination of, the following steps: 

[[(0 ]]issuing a command to bring down said one or more network interfaces to 

isolate said host; e* and 
[[(ii) ]]issuing a command to an operating system of host to bring said host to a 

single user state. 

19. (Currently amended) The An intrusion detection and isolation method implemented 
using a monitoring daemon in a host, as per claim 1 8, wherein said digital signature database and 
said log database are located on a single server or a plurality of servers belonging to a local area 
network, 

20. (Currently amended) The Aa intrusion detection and isolation method implemented 
using a monitoring daemon in a host, as per claim 1 S, wherein communications between said 
host and digital signature database are encrypted. 
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21. (Currently amended) The A& intrusion detection and isolation method implemented 



using a monitoring daemon in a host, as per claim 1 8, wherein communications between said 
host and log database are encrypted 



an MD5 database. 

23. (Currently amended) The As intrusion detection and isolation method implemented 
using a monitoring daemon in a host, as per claim 1 8, wherein said log database is a SYSLOG 
database. 

24. (Currently amended) Tie As intrusion detection and isolation method implemented 
using a monitoring daemon in a host, as per claim 1 8, wherein said data entities are any of the 
following: system files, configuration files, or directories. 
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